Fahim Abbasi wrote: > On Fri, Sep 19, 2008 at 4:00 AM, <[EMAIL PROTECTED]>wrote: > > >> From: Dave <[EMAIL PROTECTED]> >> Subject: Re: [Honeywall] Re: Sebek Install problem >> >> Excellent, I read your previous email first and was beginning to think >> it was a kernel issue. >> Glad you got it sorted. >> >> I am very much a linux, honeywall, sebek beginner myself so I cannot >> really help you with the ssh packet stream. I think the tools >> sbk_extract and sbk_ks_log.pl will allow you to first extract sebek >> packets from a tcpdump file then view the attackers key strokes. >> >> http://www.honeynet.org/papers/sebek.pdf >> > > > > Usually I view the logs via walleye, but this sure sounds handy (will give > it a go) Thanks. The only problem with walleye is that you have to dig down > the process tree till you hit the information you were looking for ( > keystrokes/passwords/files ). I scp'd a flat text file onto the honeypot to > test, but the logs only highlight the file name, location and permissions, > not the file/binary contents. This was done by inserting the module with > KEYSTROKE_ONLY=0 , which suggest that the only way to retrieve/extract the > file/binary is to get it off the honeypot from the location pointed to by > the sebek logs - not passively via sebek. > > > > >> I am having problems myself with ssh, although others from outside my >> LAN can connect and attempt to brute ssh, I cannot when I attempt to >> connect to ssh via my external IP the one provided by my ISP my machine >> or the router keeps sending a reset packet after the syn-ack handshake. >> >> I can connect to the other services on the honeypot like Samba and my >> LAMP based website via my external IP but ssh is a no go. >> >> Dave >> > > > This is unusual & seems like a firewall issue, try flushing iptables at the > honeypot to test this hypothesis. (if the reset packet is generated by the > honeypot) > Otherwise check your router for any rule against your honeypot:ssh (if the > reset is coming from the router) > > An interesting rather crude exercise would be to try ssh into your honeypot > from the honeywall (test by assigning the management interface an IP from > your current subnet - should be on same LAN to avoid routing if any probs > during testing) > > Thanks Fahim,
Your suggestion gave me an idea. Because of the limitations I have with hardware, my honeypot is on the same subnet as the rest of my network, so I make use of the fencelist in honeywall to protect my other machines. Even though the connecting IP address when I ssh via my external IP is my router gateway address which is not on the fencelist the machine I was attempting to ssh to the honeypot via that external address is. I gave my machine an address not on the fencelist and it worked. This is odd considering I can connect to the other services via my external interface whilst my machine does have a fencelist IP. Anyhow it is all working. Cheers Dave > ------------------------------------------------------------------------ > > _______________________________________________ > Honeywall mailing list > [email protected] > https://public.honeynet.org/mailman/listinfo/honeywall > _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
